Linux Kernel Null-Pointer Dereference Vulnerability in RAID5 Component

A vulnerability in the Linux kernel's RAID5 management can lead to null-pointer dereferences. This issue arises in the 'raid5_store_group_thread_cnt' function, where the 'mddev->private' variable is assigned to 'conf' and then checked. If 'conf' is NULL, 'mddev->private' is also NULL, allowing null-pointer dereferences when 'raid5_quiesce' is called. The problem occurs because 'mddev->private' is reassigned in 'raid5_quiesce', and 'conf' is dereferenced in multiple places, such as setting 'conf->quiesce' to 0' and waking up a wait queue. The vulnerability has been addressed by modifying the function to unlock 'mddev' and return early when 'conf' is NULL, following a similar approach used in another RAID5 management function.

Impact

Exploitation of this vulnerability can lead to null-pointer dereferences, causing potential crashes or undefined behavior in the RAID5 management of the Linux kernel.

Reproduction

The vulnerability can be reproduced by invoking the 'raid5_store_group_thread_cnt' function with a NULL 'mddev->private' variable. This can be achieved by manipulating the RAID5 configuration to leave 'mddev->private' uninitialized or NULL, and then triggering the function, which will result in a null-pointer dereference when 'raid5_quiesce' is called.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux kernel stable tree to address this vulnerability.